| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible stable/2023.1: Do not add all computes as OVN gateways https://review.opendev.org/c/openstack/openstack-ansible/+/893547 | 06:08 |
|---|---|---|
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 06:24 |
| admin1 | do we have any guides on how to do airgapped installs ? | 07:50 |
| admin1 | off a usb disk for example | 07:50 |
| jrosser | admin1: you might view it as an extension of the hooks we have for using mirrors | 07:51 |
| jrosser | if you have a locally accessible git repo with all the required repositories in it | 07:52 |
| jrosser | and a mirror copy of pypi somehow, then you're good to go using the documentation we have for "limited connectivity" | 07:52 |
| admin1 | thanks jrosser.. will take a look | 07:56 |
| opendevreview | Merged openstack/openstack-ansible-os_adjutant stable/zed: Revert "Install mysqlclient devel package" https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/892505 | 07:56 |
| jrosser | admin1: it also depends how truly airgapped you mean | 07:57 |
| admin1 | High security environments where no external connectivity is permitted -- this kind | 07:57 |
| jrosser | there is absolutely airgapped (no external connectivity at all), and also well defined boundaries like automated git repo mirrors with an interface in a DMZ to update and an interface in the deployment to use | 07:58 |
| admin1 | no internet, no default route type .. | 07:58 |
| jrosser | right | 07:58 |
| jrosser | in my deployments i have no default route | 07:58 |
| jrosser | but there are a number of machines that are highly secured and sit across the deployment and a DMZ to provide git mirror, pypi mirror etc | 07:59 |
| jrosser | so it depends exactly on what the requirements are, you can have different approaches with no default route | 07:59 |
| jrosser | ultimately you with need some way or another to update git repos and python packages, either through an intermediate network, USB stick, etc etc | 08:01 |
| admin1 | usb stick | 08:01 |
| jrosser | onother way to look at it is to build an AIO with the required services | 08:01 |
| jrosser | and copy the built wheels across | 08:01 |
| jrosser | that would simplify the pypi side where making a mirror is surprisingly difficult (the amount of data involved for a full mirror is truly huge) | 08:02 |
| opendevreview | Merged openstack/openstack-ansible-os_nova master: Add quorum queues support for the service https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/887849 | 08:03 |
| admin1 | thanks jrosser .. i will explore on this | 08:03 |
| admin1 | "and copy the built wheels across" -- is it as easy as taking a lxc backup of the repo and restoring it :D | 08:06 |
| admin1 | or overwriting to the new ones | 08:06 |
| opendevreview | Merged openstack/openstack-ansible-os_glance master: Add quorum support for glance https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/873632 | 08:19 |
| opendevreview | Merged openstack/openstack-ansible-os_neutron master: Add quorum queues support for the service https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/887803 | 08:24 |
| opendevreview | Merged openstack/openstack-ansible-os_neutron stable/2023.1: Stop haproxy on ovn-controller nodes https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/893450 | 08:24 |
| jrosser | admin1: i think everything you might need is in /var/www/repo | 11:14 |
| opendevreview | Merged openstack/openstack-ansible-os_cinder master: Add quorum queues support for service https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/875408 | 12:43 |
| jrosser | i am having trouble with config_template and {% raw %}....{% endraw %} | 13:13 |
| jrosser | it seems to want to evaluate inside the raw part in a way that the regular template modules does not | 13:13 |
| jrosser | bootstrap_aio uses config_template a bunch for user_variables_<>.yml really with no reason to | 13:14 |
| noonedeadpunk | jrosser: this should be fixed in latest config_tempalte | 13:28 |
| noonedeadpunk | it's not tagged yet | 13:28 |
| noonedeadpunk | https://opendev.org/openstack/ansible-config_template/commit/e528ed0e9e9f3d3fcb2f33ddc5d175faf72094ac | 13:28 |
| noonedeadpunk | so in fact that's not used anywhere | 13:29 |
| noonedeadpunk | And to make a new tag, I wanted to release in galaxy, but far that I was told to push a role for publishing to zuul-jobs | 13:29 |
| jrosser | ahha | 13:34 |
| jrosser | i was wanting to use config_template somewhere else too which would need it to be in galaxy | 13:34 |
| noonedeadpunk | yeah, I from time to time try to do progress on that, but always get new blockers and postpone for better times.... | 13:37 |
| jrosser | so funny thing is that is "fixed" in CI but not locally :) | 13:40 |
| noonedeadpunk | yeah...... | 13:45 |
| noonedeadpunk | so latest what I was told to do, is basically move https://opendev.org/openstack/ansible-collections-openstack/src/branch/master/ci/publish/publish_collection.yml to zuul-jobs repo as a role.... | 13:47 |
| noonedeadpunk | But the problem is also, that a secret for openstack namespace in galaxy stored specifically in the collections repo | 13:47 |
| noonedeadpunk | So then infra root or somebody should re-encrypt it to move to generic secrets... But also afaik - it's linked to someones personal github account... | 13:48 |
| noonedeadpunk | And it's a sig and not under tc governance basically like any other project... | 13:48 |
| noonedeadpunk | So it's /o\ | 13:48 |
| jrosser | argh | 13:51 |
| jrosser | the trouble with all that is it's so easy to say / handwave about but at the same time opaque and hard to debug when actually trying to do it | 13:53 |
| jrosser | noonedeadpunk: also https://paste.opendev.org/show/bDvBwr4pLLpkPfHXlMDp/ | 14:04 |
| jrosser | master should be working i think? | 14:05 |
| noonedeadpunk | hm | 14:05 |
| noonedeadpunk | that could have landed only with this https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/873632 | 14:05 |
| noonedeadpunk | ah | 14:06 |
| jrosser | yes i am wondering how that passes and my new AIO breaks | 14:06 |
| noonedeadpunk | and how that passsed https://review.opendev.org/c/openstack/openstack-ansible/+/887850 | 14:07 |
| jrosser | it looks like it tries to pass that whole yaml dict to this https://www.rabbitmq.com/rabbitmqctl.8.html#set_permissions | 14:09 |
| noonedeadpunk | the only way I see this could happen, if vhost is evaluated as string... | 14:09 |
| noonedeadpunk | oh | 14:09 |
| noonedeadpunk | also | 14:09 |
| noonedeadpunk | that needs new plugins version:) | 14:09 |
| jrosser | so another thing like config template that works in CI but not locally | 14:10 |
| noonedeadpunk | I guess it might need smth like that https://review.opendev.org/c/openstack/openstack-ansible/+/892373 | 14:10 |
| jrosser | oh wow that did not go well | 14:11 |
| noonedeadpunk | as current "master" might miss this thing: https://opendev.org/openstack/openstack-ansible-plugins/commit/ed5b610177059870a3e722b046de7ca0156357c3 | 14:11 |
| noonedeadpunk | though it's not issue in CI | 14:11 |
| jrosser | `"ERROR! Failed to switch a cloned Git repo `https://github.com/ansible-collections/ansible.netcommon` to the requested revision `5.1.2`` | 14:12 |
| noonedeadpunk | nah, latest is different | 14:12 |
| noonedeadpunk | it's before the last rebase | 14:13 |
| noonedeadpunk | proably worth just to update plugins SHA separately | 14:13 |
| jrosser | oh why oh why cannot galaxy keep the git repo | 14:13 |
| jrosser | especially if the source is git /o\ | 14:13 |
| noonedeadpunk | it's because tag is `v5.1.2` but in versions it's 5.1.2 | 14:14 |
| noonedeadpunk | ansible 2.15 can handle that, but not 2.13 | 14:14 |
| jrosser | that patch is stacked on top of the 2.15 change though? | 14:14 |
| noonedeadpunk | yeah, but it's failed due to zuul merge issue | 14:16 |
| noonedeadpunk | `Error merging gerrit/openstack/openstack-ansible-os_adjutant for 888985,4` | 14:16 |
| noonedeadpunk | as it's on top of another thing with tons of dependencies... | 14:17 |
| noonedeadpunk | jsut recheck should help | 14:17 |
| jrosser | this needs a look at https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/888729 | 14:21 |
| jrosser | maybe just rebase but i dont touch it yet | 14:21 |
| jrosser | then theres a bunch of adjutant related things https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/888985/3 | 14:22 |
| noonedeadpunk | ugh, yeah, need to rebase that... | 14:35 |
| noonedeadpunk | jrosser: do you rememeber how to pass kernel modules inside lxc? | 14:40 |
| jrosser | more that just making sure they are loaded on the host? | 14:40 |
| noonedeadpunk | I can recall there some .... allowlist or smth like that was to configure... | 14:41 |
| noonedeadpunk | I'm trying to mount cephfs inside repo container | 14:42 |
| noonedeadpunk | host does have ceph kernel module, but feels like container does not | 14:42 |
| jrosser | so i can cat /proc/modules in the container for example | 14:43 |
| noonedeadpunk | huh, yeah, ok | 14:43 |
| jrosser | and the number of lines there is the same as on the host | 14:43 |
| noonedeadpunk | true | 14:43 |
| jrosser | device files might be a different matter | 14:43 |
| noonedeadpunk | then issue is different I guess.... | 14:43 |
| jrosser | might need to bind mount the /dev entries or otherwise create them somehow | 14:44 |
| noonedeadpunk | jrosser: ah. I found the issue, sorry and thanks) | 14:45 |
| noonedeadpunk | (or I think I did) | 14:45 |
| jrosser | if it is bind mounting dev files then this is useful patch https://review.opendev.org/c/openstack/openstack-ansible/+/891695 | 14:47 |
| jrosser | so that you can have config like `lxc.mount.entry = /dev/ttyS0 dev/ttyS0 none bind,create=file 0 0` | 14:47 |
| noonedeadpunk | I _think_ it was absent storage network inside repo container | 14:47 |
| jrosser | ahha | 14:48 |
| jrosser | inside *repo* container, right | 14:48 |
| jrosser | for wheel builds? | 14:48 |
| jrosser | well today is my lucky day, looks like a race condition here https://paste.opendev.org/show/bPgVSIHyVPY5MwC373Zj/ | 14:53 |
| noonedeadpunk | yeah | 14:56 |
| noonedeadpunk | looks like that.... | 14:57 |
| jrosser | that probably just needs some retries | 15:06 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-os_neutron master: Retry applying OVN connection settings https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/893667 | 15:16 |
| jrosser | anyone with OVN clue, what should be listening on port 6641 in the northd container? | 15:39 |
| jrosser | 6642 is ovsdb-server | 15:40 |
| jrosser | ok so my issue was caused by pretty much all of this not being idempotent https://github.com/openstack/openstack-ansible-os_neutron/blob/master/tasks/providers/ovn_cluster_setup.yml#L88 | 15:47 |
| jrosser | if something in there fails and you run again, it stays failed | 15:47 |
| opendevreview | Merged openstack/ansible-role-pki master: Use TOX_CONSTRAINTS_FILE https://review.opendev.org/c/openstack/ansible-role-pki/+/890750 | 16:14 |
| opendevreview | Merged openstack/ansible-role-systemd_service master: Use TOX_CONSTRAINTS_FILE https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/890751 | 16:14 |
| noonedeadpunk | jrosser: then 893667 doesn't make much sense? | 16:24 |
| jrosser | I think the when: is only valid once | 16:24 |
| jrosser | I just did exactly that command at the cli in the container and it worked | 16:25 |
| jrosser | but because that OVN instance was now clustered you can never execute any failed setup tasks again | 16:25 |
| jrosser | I think my patch would fix the race condition on the first run like I originally had fail | 16:26 |
| jrosser | but still not help for subsequent runs | 16:26 |
| opendevreview | Merged openstack/openstack-ansible-os_tempest master: Allow include/exclude lists to be defined in many variables https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/891579 | 16:30 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Fix role metadata https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/892296 | 16:33 |
| opendevreview | Merged openstack/openstack-ansible-os_mistral master: Fix linters and metadata https://review.opendev.org/c/openstack/openstack-ansible-os_mistral/+/892290 | 16:40 |
| opendevreview | Merged openstack/openstack-ansible-lxc_hosts master: Fix linters issues https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/892295 | 16:46 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-os_neutron master: Fix linters and metadata https://review.opendev.org/c/openstack/openstack-ansible-os_neutron/+/888729 | 16:55 |
| opendevreview | Merged openstack/openstack-ansible master: Fix linters to satisfy ansible-lint 6.18 https://review.opendev.org/c/openstack/openstack-ansible/+/886527 | 16:56 |
| noonedeadpunk | ok, yes, makes sense to me | 16:56 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible master: Update Senlin SHA https://review.opendev.org/c/openstack/openstack-ansible/+/892910 | 16:57 |
| Karni | Hi | 17:02 |
| opendevreview | Merged openstack/openstack-ansible master: Add default name for user collections file https://review.opendev.org/c/openstack/openstack-ansible/+/893230 | 17:02 |
| -opendevstatus- NOTICE: Some Gerrit changes that update Zuul configuration may fail with no response from Zuul. A fix is in progress. | 20:04 | |
| *** jonher_ is now known as jonher | 20:13 | |
| -opendevstatus- NOTICE: Gerrit changes with updates to Zuul's configuration should now be handled correctly. Recheck any changes to Zuul configuration which did not report results. | 22:37 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!